From d9d90c91d6cc737aca2fd1faf70af4d8dafcdfb4 Mon Sep 17 00:00:00 2001
From: Viktoria Polyakova <support@itsolv.ru>
Date: Tue, 27 Jan 2026 23:35:32 +0300
Subject: [PATCH] Remove Google Analytics and Google Tag Manager from Content
 Security Policy

Removed Google Analytics and Google Tag Manager domains from the Content Security Policy headers to disable tracking and analytics functionality on the CRM application. This change affects both the main CSP header and the legacy X-Content-Security-Policy header for backward compatibility.
---
 crm.mcmed.ru      | 11 +++++++++--
 crm.mcmed.ru.work |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 120000 crm.mcmed.ru.work

diff --git a/crm.mcmed.ru b/crm.mcmed.ru
index 3dec69a..830c4a1 100644
--- a/crm.mcmed.ru
+++ b/crm.mcmed.ru
@@ -29,8 +29,10 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
-    add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://cdn.jsdelivr.net ws: wss:; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
+    add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://cdn.jsdelivr.net ws: wss:; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
+    # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
+    # add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
 
@@ -109,6 +111,11 @@ server {
     # Защита от атак на сервер
     server_tokens off;
     add_header X-Powered-By "CRM Security Server" always;
+    
+    # Защита от client-side desync атак
+    proxy_request_buffering off;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
 
     # Логирование
     access_log /var/log/nginx/crm.access.log;
diff --git a/crm.mcmed.ru.work b/crm.mcmed.ru.work
new file mode 120000
index 0000000..b81c044
--- /dev/null
+++ b/crm.mcmed.ru.work
@@ -0,0 +1 @@
+/etc/nginx/sites-available/crm.mcmed.ru
\ No newline at end of file